When I start a new job or consulting gig, the most common problem I encounter is lack of IT systems documentation. I often spend the first few weeks on the job doing reverse engineering, discovering as much as possible about the company’s systems.

An opposite problem is too much documentation. Well, more precisely, too much bureaucratic documentation, much of it out of date. There’s a lot of documentation in place, but much of it is in the weeds, minutia about procedures, for example, with no clear architectural summaries. Documentation is hard to maintain, so much of what I find it horribly out of date – so, reverse engineering again (!), to figure out what’s really in place.

Through the years, I’ve identified an essential list of documents and policies are both easy to maintain and helpful to doing my job. These documents also map well to PCI and other Cybersecurity frameworks. There are also opportunities to automate some of this documentation – device asset listing, for example. But, let’s start with the essentials first, some basic documents for IT:

Identifying Assets and Data

  • Assets Map
    • Physical Deployment Diagram of systems and components (use UML)
    • Network diagram – office(s) and cloud network pipes, interconnections, and boundaries.
    • (sometimes useful to combine these two diagrams)
  • Assets Inventory – detailed listing of all systems (servers, network devices, etc.) and licensed software.
  • License Management and Compliance document – listings of all software licenses, assignees, renewal dates, etc.
  • Sensitive Information (PCI, PII, Health) Maps – an inventory, data flow diagrams (UML activity diagram) of each , including backup locations, logs

Additional policies to consider:

  • Acquisition Assessment Policy – criteria for evaluating new device, software, and vendor acquisitions
  • Software Installation Policy
    • Installation benchmark procedures/automation for each type of platform (laptops, servers, etc.)


  • Information Security Policy – and Employee Training guide
  • Acceptable Use Policy – covering use of company IT equipment, network, email, social media
  • Password Protection Policy, Database Credentials Policy, Remote Access Policy, Server Security Policy, Wireless Communication Policy, Router & Switch security policy
  • for developers: web application security policy, acceptable encryption policy, logging standards

Additional policies to consider:

  • Clean Desk Policy
  • Email Policy
  • Technology Equipment Disposal Policy


  • Security Incident Response Plan Policy.

Recover/Business Continuity

  • Backup Policies and Procedures (addressing server images, file backups, and transactional backups)
  • Backup Physical Deployment Diagram